IPA server decimal and hexadecimal usage in CA and KRA pki-tomcat serial number ranges
Issue
-
An IPA replica server was rebuilt and created a new Key Recovery Authority (KRA) serial number range to be used as its next range. In LDAP it appears as:
dn: cn=270000001,ou=keyRepository,ou=ranges,o=kra,o=ipaca beginRange: 270000001 endRange: 280000000 host: ipareplica01.example.com
-
In
/etc/pki/pki-tomcat/kra/CS.cfg
the range appears as:dbs.beginSerialNumber=20ffa0001 dbs.endSerialNumber=20ffb0000
-
When a specific repository is initialised with the hexadecimal radix, it gets the numbers from LDAP which are always returned as decimal radix, and then interprets them as hexadecimal.
Environment
- Red Hat Enterprise Linux (RHEL)
- 8
- Identity Management (IdM)
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.